CN113381853B - Method and device for generating random password and client authentication - Google Patents
Method and device for generating random password and client authentication Download PDFInfo
- Publication number
- CN113381853B CN113381853B CN202010161856.2A CN202010161856A CN113381853B CN 113381853 B CN113381853 B CN 113381853B CN 202010161856 A CN202010161856 A CN 202010161856A CN 113381853 B CN113381853 B CN 113381853B
- Authority
- CN
- China
- Prior art keywords
- time
- key
- client
- determining
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000004364 calculation method Methods 0.000 claims description 25
- 230000002123 temporal effect Effects 0.000 claims description 21
- 238000004422 calculation algorithm Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 9
- 230000000694 effects Effects 0.000 abstract description 9
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 19
- 238000004891 communication Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000005336 cracking Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- YSMRWXYRXBRSND-UHFFFAOYSA-N TOTP Chemical compound CC1=CC=CC=C1OP(=O)(OC=1C(=CC=CC=1)C)OC1=CC=CC=C1C YSMRWXYRXBRSND-UHFFFAOYSA-N 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for generating a random password and authenticating a client, and relates to the technical field of computers. One embodiment of the method comprises the following steps: acquiring the current first time of a client; determining a first time feature according to the first time and the constraint time; determining a random password according to the first key and the first time characteristic; the first time is a system time displayed by the client. The embodiment solves the technical problems that the fixed password for authentication is easy to attack and the random filling encryption means is easy to crack, and further achieves the technical effects that the generated random password is not easy to crack in the transmission process and is convenient to decrypt.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for generating a random password and authenticating a client.
Background
In the prior art, a mode that a client and a server agree on a password for authentication is adopted to verify whether data comes from a trusted client, the client transmits the password for authentication to the server in a plaintext or ciphertext mode when transmitting data every time when calling service, and the server verifies whether the password is consistent with the agreed password, if so, the client identifies that the call comes from the trusted client.
In the process of implementing the present invention, the inventor finds that at least the following problems exist in the prior art:
1. the fixed cipher for authentication is not encrypted or a section of fixed cipher text encrypted by adopting a random filling encryption means is adopted, and an attacker can cheat the server only by taking the cipher text or the cipher text for authentication intercepted in the transmission data and filling the cipher text or the cipher text into the forged message data.
2. The encryption with https or other random filling is adopted to generate the random password, so that the cost of each encryption and decryption can be quite high, and the cost control is quite unfavorable.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a method and an apparatus for generating a random password, which can solve the technical problems that a password for authentication fixed in the prior art is easy to be attacked and a random filling encryption means is easy, so as to achieve the technical effects that the password for authentication is not easy to be cracked in the transmission process, reduce the cost, and facilitate decryption.
To achieve the above object, according to one aspect of an embodiment of the present invention, there is provided a method of generating a random password, including:
acquiring the current first time of a client;
determining a first time feature according to the first time and the constraint time;
determining a random password according to the first key and the first time characteristic;
wherein the first time is a system time of the client.
Optionally, before determining the random password according to the first key and the first time feature, the method includes:
encrypting a preset key, and determining a first key;
determining a random password from the first key and the first temporal feature, comprising:
performing hash calculation on the first key and the first time feature to generate a first hash value;
and determining a random password according to the first hash value.
Optionally, encrypting the preset key, determining the first key includes:
intercepting a fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted fingerprint character string, the address of the client and a preset key to generate a first key.
Optionally, before intercepting the fingerprint string with the fixed number of bits, the method includes:
acquiring a data message generated by a client;
and generating a fingerprint character string corresponding to the message according to an MD5 message digest algorithm.
Optionally, the calculation formula of the first time feature is:
Tn1=(unixtime(now1)-unixtime(T0))/TS)
wherein Tn1 is a first temporal feature;
now1 is the first time, unixtime (now 1) is the timestamp of the first time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
Optionally, determining the random password according to the first hash value includes:
intercepting the first hash value according to a preset password length;
and determining the intercepted first hash value as the random password.
According to another aspect of an embodiment of the present invention, there is provided a method for authenticating a client, including:
receiving an authentication request sent by a client;
determining a second time characteristic according to the appointed time and a second time when the authentication request is received;
determining a reference password according to a second key and the second time feature;
judging whether the reference password is the same as the random password; if the client-side access rights are the same, the client-side is determined to have the access rights.
Optionally, before determining the reference password according to the second key and the second time feature, the method includes:
encrypting the preset key, and determining a second key;
determining a reference password from the second key and the second temporal feature, comprising:
performing hash calculation on the second key and the second time feature to generate a second hash value;
and determining a reference password according to the second hash value.
Optionally, encrypting the preset key, determining the second key includes:
intercepting a second fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted second fingerprint character string, the address of the client and a preset key to generate a second key.
Optionally, before intercepting the second fingerprint string with a fixed number of bits, the method includes:
acquiring a data message received by a server;
and generating a second fingerprint character string of the received data message according to the MD5 message digest algorithm.
Optionally, the calculation formula of the second time feature is:
Tn2=(unixtime(now2)-unixtime(T0))/TS)
wherein Tn2 is a second temporal feature;
non 2 is the second time, unixtime (now 2) is the timestamp of the second time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
Optionally, determining the random password according to the second hash value includes:
intercepting the second hash value according to the preset password length;
and determining the intercepted second hash value as the random password.
According to another aspect of an embodiment of the present invention, there is provided an electronic device that generates a random password, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of client authentication of the present invention.
According to another aspect of an embodiment of the present invention, there is provided an electronic device for client authentication, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of client authentication of the present invention.
According to another aspect of an embodiment of the present invention, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements a method of client authentication of the present invention.
One embodiment of the above invention has the following advantages or benefits:
because the technical means of generating the random password for authentication by combining the current time, the appointed time and the preset secret key are adopted, the technical problems that the fixed password for authentication is easy to attack and the random filling encryption means is easy to crack are solved, and the technical effects that the password for authentication is not easy to crack, the cost is reduced and the decryption is convenient are achieved.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main flow of a method of generating a random password according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a particular embodiment of a method of generating a random password in accordance with an embodiment of the present invention;
FIG. 3 is a schematic diagram of the main flow of a method of client authentication according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a particular embodiment of a method of client authentication according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the main modules of an apparatus for generating random passwords according to an embodiment of the invention;
fig. 6 is a schematic diagram of main modules of an apparatus for client authentication according to an embodiment of the present invention;
FIG. 7 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 8 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The client needs to generate a random password before initiating a request to the server. And simultaneously transmitting the password generated by the client and the service data sent by the client into the server. After the server receives the request, the validity of the password needs to be checked, so that the purpose of judging whether the data of the server are valid or not is achieved.
Fig. 1 is a schematic diagram of a main flow of a method for generating a random password according to an embodiment of the present invention, as shown in fig. 1, including:
step S101, acquiring the current first time of a client;
step S102, determining a first time characteristic according to the first time and the constraint time;
step S103, determining a random password according to the first secret key and the first time characteristic;
wherein the first time is a system time of the client. I.e. the first time is the system time presented on the client.
The invention combines TOTP algorithm to authenticate the client, thereby achieving the technical effect of dynamic verification.
The TOTP algorithm (collectively: time-based One-Time Password algorithm) is an algorithm for calculating a One-Time password using a preset key and a current Time.
The first time is the system time displayed by the client and is also the moment when the client starts to generate the random password.
The password generated by the client is a one-time password and can be used only once, so that the effect of generating a dynamic password is achieved.
Because the client transmits one service data at each time, that is, the passwords generated by transmitting the service data are different each time, the server needs to verify whether the received passwords are the passwords of the client.
The password generated by the client is determined according to the current first time, the appointed time and the preset key of the client, so that the technical defect that the password is easy to crack due to the fact that the password is not encrypted or is not encrypted randomly in the prior art is avoided. The condition of the password generated by the client is easy to obtain, so that the technical effects of randomly generating the password and effectively controlling the encryption cost can be achieved.
In the invention, the moment when the customer service side starts to generate the random password is the first time, but the time of clock display between the server and the client side is possibly different due to network delay, so that the technical effect of conveniently and uniformly calculating the time point is achieved by adopting a time stamp mode.
The timestamp (timestamp) can uniquely identify the time at a moment. Optionally, the time stamp is increased at specific intervals, thereby reducing the potential search space.
Specifically, the calculation formula of the first time feature is:
Tn1=(unixtime(now1)-unixtime(T0))/TS)
wherein Tn1 is a first temporal feature;
now1 is the first time, unixtime (now 1) is the timestamp of the first time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
Assuming that the TS is 30 seconds, it also shows that the temporal characteristics are consistent within 30 seconds of the now1 distance.
Optionally, before determining the random password according to the first key and the first time feature, the method includes:
encrypting a preset key, and determining a first key;
determining a random password from the first key and the first temporal feature, comprising:
performing hash calculation on the first key and the first time feature to generate a first hash value;
and determining a random password according to the first hash value.
The hash computation may be HMAC-SHA-1 (key dependent hash message authentication code-secure hash algorithm 1), which in turn uses the first key and the first temporal feature to determine a client-generated password for authentication.
In this embodiment, the hash calculation may convert any length of data into a fixed length of password, which not only implements encryption of the password for authentication, but also greatly saves the storage space of the password generated by the client.
Optionally, encrypting the preset key, determining the first key includes:
intercepting a fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted fingerprint character string, the address of the client and a preset key to generate a first key.
To increase the difficulty of cracking the password, optionally, before intercepting the fingerprint character string with a fixed number of bits, the method includes:
acquiring a data message generated by a client;
and generating a fingerprint character string corresponding to the message according to an MD5 message digest algorithm.
The key is generated for the data message according to the MD5 message digest algorithm, so that the cracking difficulty of generating the first key can be greatly enhanced, and the difficulty of tampering and cracking the password generated by the client is further improved.
According to the scheme, by means of the method for adding the ip address and the fingerprint character string of the message in the first secret key, when the message is intercepted and forwarded, the ip address of the forwarding party is inconsistent with the ip address in the encryption secret key, the second secret key generated by the server side is inconsistent with the first secret key generated by the client side, and therefore whether the transmitted data of the client side is attacked or not can be determined.
If the message is intercepted and tampered, the message fingerprint generated by the client is inconsistent with the message fingerprint generated by the server, so that the CipherCode2 generated by the server is inconsistent with the CipherCode1 carried in the client message, and the fact that the message data received by the server is different from the message data generated by the client is judged, further, the server does not accept the tampered client data message, and the data message tampering or attack is stopped.
Optionally, determining the random password according to the first hash value includes:
intercepting the first hash value according to a preset password length;
and determining the intercepted first hash value as the random password.
When the server receives the password generated by the client, the server needs to identify whether the password is valid, namely whether the data received by the server is checked and tampered by a third party or not is judged.
The method of generating the random password is described in detail below in one embodiment. Fig. 2 is a schematic diagram of a specific embodiment of a method for generating a random password according to an embodiment of the present invention, as shown in fig. 2:
s201, acquiring a first time now1 of a client;
s202, calculating a first time feature Tn1 according to the first time now 1. The first time feature is determined according to a Unix time stamp unixtime (now 1), a time stamp unixtime (T0) of a contracted starting time point and the number of time periods TS, and a calculation formula is as follows:
Tn1=(unixtime(now1)-unixtime(T0))/TS);
s203, generating a fingerprint character string from the Message data Message through the MD5, and intercepting the appointed fixed bit number appointed by the Message data Message and the server. Optionally, the first 32 bits are intercepted as the fingerprint of the message, and the calculation formula is as follows:
MessageKey1=TruncateMD5(MD5(Message1));
s204, the first secret key1 is assembled through a preset secret key LocalSesetKey between the server and the client, an address Ipladdress 1 of the current client and Message data Message1 carried by the current request, and the calculation formula is as follows:
SecretKey1=Concat(LocalSecretKey,”-”,IpAddress1,”-”,Messag eKey1);
specifically, assuming that the localsecret key is hello, the IpAddress is 10.182.10.17, and the messagekey is 873c40ac22fc8bd19674b9b778cc42d2, the assembled secret key is hello-10.182.10.17-873c40ac22fc8bd19674b9b778cc42d2.
S205, HMAC-SHA-1 processing is carried out on the first secret key SecretKey1 to generate a hash value with 160 bits in length, namely a password string CipherCodeArray1, and the calculation formula is as follows:
CipherCodeArray1=HMAC-SHA-1(SecretKey1,Tn1);
s206, by intercepting the fixed bits of the CipherCodeArray1, such as the first 20 bits, as the random password CipherCode1, the calculation formula is:
CipherCode1=Truncate(CipherCodeArray1)。
after the server receives the data of the client, it needs to identify whether the data of the client is valid. Fig. 3 is a schematic diagram of the main flow of a method for client authentication according to an embodiment of the present invention, as shown in the figure, including:
step S301, receiving an authentication request sent by a client; the authentication request carries a random password;
step S302, determining a second time characteristic according to the appointed time and a second time when the authentication request is received;
step S303, determining a reference password according to a preset secret key and the second time characteristic;
step S304, judging whether the reference password is the same as the random password; if the client-side access rights are the same, the client-side is determined to have the access rights.
Wherein the step of generating the reference password is similar to the step of generating the password by the client.
Optionally, the calculation formula of the second time feature is:
Tn2=(unixtime(now2)-unixtime(T0))/TS)
wherein Tn2 is a second temporal feature;
non 2 is the second time, unixtime (now 2) is the timestamp of the second time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
When the server receives the password of the client, the server can access the data of the client when the interval time is within a set time step. Assuming that the time step is 30 seconds, when the server receives the data of the client in 30 seconds, it is explained that the server can utilize the service data of the client.
Optionally, before determining the reference password according to the second key and the second time feature, the method includes:
encrypting the preset key, and determining a second key;
determining a reference password from the second key and the second temporal feature, comprising:
performing hash calculation on the second key and the second time feature to generate a second hash value;
and determining a reference password according to the second hash value.
Optionally, encrypting the preset key, determining the second key includes:
acquiring a data message received by a server;
and generating a second fingerprint character string of the received data message according to the MD5 message digest algorithm.
When the received data message is consistent with the data message sent by the client, the generated second fingerprint character string is the same, and the subsequently generated second secret key is also the same as the first secret key; however, when the data message is tampered in transmission, the received data message is inconsistent with the data message sent by the client, the generated second fingerprint character string is the same, the subsequently generated second secret key is different from the first secret key, and the final reference password is different from the password generated by the client.
Optionally, determining the second key according to the second fingerprint string includes:
intercepting a second fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted second fingerprint character string, the address of the client and a preset key to generate a second key.
Optionally, determining the random password according to the second hash value includes:
intercepting the second hash value according to the preset password length;
and determining the intercepted second hash value as the random password.
The method of client authentication is described in detail below in a specific embodiment corresponding to fig. 2.
Fig. 4 is a schematic diagram of a specific embodiment of a method for authenticating a client according to an embodiment of the present invention, as shown in fig. 4, including:
step S401, obtaining a second time now2;
step S402, calculating a second time feature Tn2 according to the second time now 2. Determining a second time feature Tn2 according to the number of the second time feature, namely Unix time stamp unixtime (now 2), time stamp unixtime (T0) of appointed time and time period TS, wherein the calculation formula is as follows:
Tn2=(unixtime(now2)-unixtime(T0))/TS)
step S403, generating a fingerprint character string from the Message data Message2 through the MD5, and intercepting the appointed fixed bit number agreed with the server. Optionally, the first 32 bits are intercepted as the fingerprint of the message, and the calculation formula is as follows:
MessageKey2=TruncateMD5(MD5(Message2))
the Message data Message2 is the same as Message1 if it is not tampered with.
S404, the second key secret key2 is assembled by presetting the key localsecret key between the server and the client, the address IPAddress2 of the received client and the Message data Message2 carried by the current request, and the calculation formula is as follows:
SecretKey2=Concat(LocalSecretKey,”-”,IpAddress2,”-”,Messag eKey2)
in the process of transmitting the password generated by the client, if no third party is tampered, the ip address2 is the same as the ip address 1.
S405, performing HMAC-SHA-1 processing on the second secret key SecretKey2 to generate a hash value with 160 bits in length, namely a password string CipherCodeArray2, wherein the calculation formula is as follows:
CipherCodeArray2=HMAC-SHA-1(SecretKey2,Tn2)
s406, by truncating the fixed bits of the CipherCodeArray2, such as the first 20 bits, as the random password CipherCode2, the calculation formula is:
CipherCode2=Truncate(CipherCodeArray2)。
s407, judging whether the password CipherCode1 generated by the client is the same as the reference password CipherCode 2; if the authentication request is identical, the authentication is completed, and if the authentication request is different, the authentication request is invalid.
Fig. 5 is a schematic diagram of main modules of an apparatus for generating a random password according to an embodiment of the present invention, and as shown in fig. 5, there is provided an apparatus 500 for generating a random password, including:
a first time obtaining module 501, configured to obtain a current first time of a client;
the first time feature determining module 502 is configured to determine a first time feature according to the first time and the constraint time;
a random password generation module 503, configured to determine a random password according to the first key and the first time feature.
Optionally, before determining the random password according to the first key and the first time feature, the method includes:
encrypting a preset key, and determining a first key;
determining a random password from the first key and the first temporal feature, comprising:
performing hash calculation on the first key and the first time feature to generate a first hash value;
and determining a random password according to the first hash value.
Optionally, encrypting the preset key, determining the first key includes:
intercepting a fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted fingerprint character string, the address of the client and a preset key to generate a first key.
Optionally, before intercepting the fingerprint string with the fixed number of bits, the method includes:
acquiring a data message generated by a client;
and generating a fingerprint character string corresponding to the message according to an MD5 message digest algorithm.
Optionally, the calculation formula of the first time feature is:
Tn1=(unixtime(now1)-unixtime(T0))/TS)
wherein Tn1 is a first temporal feature;
now1 is the first time, unixtime (now 1) is the timestamp of the first time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
Optionally, determining the random password according to the first hash value includes:
intercepting the first hash value according to a preset password length;
and determining the intercepted first hash value as the random password.
Fig. 6 is a schematic diagram of main modules of an apparatus for client authentication according to an embodiment of the present invention, as shown in fig. 6, there is provided an apparatus 600 for client authentication, including:
an authentication request receiving module 601, configured to receive an authentication request sent by a client;
a second time feature determining module 602, configured to determine a second time feature according to the contracted time and a second time when the authentication request is received;
a reference password determining module 603, configured to determine a reference password according to the second key and the second time feature;
an authentication module 604, configured to determine whether the reference password is the same as the random password; if the client-side access rights are the same, the client-side is determined to have the access rights.
Optionally, before determining the reference password according to the second key and the second time feature, the method includes:
encrypting the preset key, and determining a second key;
determining a reference password from the second key and the second temporal feature, comprising:
performing hash calculation on the second key and the second time feature to generate a second hash value;
and determining a reference password according to the second hash value.
Optionally, encrypting the preset key, determining the second key includes:
intercepting a second fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted second fingerprint character string, the address of the client and a preset key to generate a second key.
Optionally, before intercepting the second fingerprint string with a fixed number of bits, the method includes:
acquiring a data message received by a server;
and generating a second fingerprint character string of the received data message according to the MD5 message digest algorithm.
Optionally, the calculation formula of the second time feature is:
Tn2=(unixtime(now2)-unixtime(T0))/TS)
wherein Tn2 is a second temporal feature;
non 2 is the second time, unixtime (now 2) is the timestamp of the second time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
Optionally, determining the random password according to the second hash value includes:
intercepting the second hash value according to the preset password length;
and determining the intercepted second hash value as the random password.
Fig. 7 illustrates an exemplary system architecture 700 of a method and apparatus for generating random passwords and client authentication to which embodiments of the invention may be applied.
As shown in fig. 7, a system architecture 700 may include terminal devices 701, 702, 703, a network 704, and a server 705. The network 704 is the medium used to provide communication links between the terminal devices 701, 702, 703 and the server 705. The network 704 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 705 via the network 704 using the terminal devices 701, 702, 703 to receive or send messages or the like. Various communication client applications such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 701, 702, 703.
The terminal devices 701, 702, 703 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 705 may be a server providing various services, such as a background management server (by way of example only) providing support for shopping-type websites browsed by users using the terminal devices 701, 702, 703. The background management server may analyze and process the received data such as the product information query request, and feedback the processing result (e.g., the target push information, the product information—only an example) to the terminal device.
It should be noted that, the method for authenticating a client provided in the embodiment of the present invention is generally executed by the server 705, and accordingly, the client authentication device is generally disposed in the server 705.
It should be understood that the number of terminal devices, networks and servers in fig. 7 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 8, there is illustrated a schematic diagram of a computer system 800 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 8, the computer system 800 includes a central processing module (CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a central processing module (CPU) 801.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, for example, as: a processor includes a sending module, an obtaining module, a determining module, and a first processing module. The names of these modules do not in some cases limit the module itself, and for example, the transmitting module may also be described as "a module that transmits a picture acquisition request to a connected server".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:
acquiring the current first time of a client;
determining a first time feature according to the first time and the constraint time;
determining a random password according to the first key and the first time characteristic;
wherein the first time is a system time of the client.
According to the technical scheme provided by the embodiment of the invention, the following beneficial effects can be achieved:
because the technical means of randomly generating the random password for authentication by combining the current time, the appointed time and the preset secret key is adopted, the technical problems that the fixed password for authentication is easy to attack and the random filling encryption means is easy to crack are solved, and the technical effects that the password for authentication is not easy to crack, the decryption cost is reduced and the decryption of a receiving end is convenient are achieved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (13)
1. A method of generating a random password, comprising:
acquiring the current first time of a client;
determining a first time feature according to the first time and the constraint time;
determining a random password according to the first key and the first time characteristic;
wherein, the first time is the system time of the client;
before determining the random password according to the first key and the first time feature, the method comprises the following steps:
intercepting a fingerprint character string with fixed digits;
acquiring the address of the client;
combining the intercepted fingerprint character string, the address of the client and a preset key to generate a first key;
before intercepting the fingerprint character string with fixed digits, the method comprises the following steps:
acquiring a data message generated by a client;
and generating a fingerprint character string corresponding to the message according to an MD5 message digest algorithm.
2. The method of claim 1, wherein prior to determining the random password based on the first key and the first temporal feature, comprising:
encrypting a preset key, and determining a first key;
determining a random password from the first key and the first temporal feature, comprising:
performing hash calculation on the first key and the first time feature to generate a first hash value;
and determining a random password according to the first hash value.
3. The method of claim 1, wherein the first time characteristic is calculated by the formula:
Tn1=(unixtime(now1)-unixtime(T0))/TS)
wherein Tn1 is a first temporal feature;
now1 is the first time, unixtime (now 1) is the timestamp of the first time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
4. The method of claim 2, wherein determining a random password from the first hash value comprises:
intercepting the first hash value according to a preset password length;
and determining the intercepted first hash value as the random password.
5. A method for authenticating a client, comprising:
receiving an authentication request sent by a client; the authentication request carries a random password generated by the method of any one of claims 1-4;
determining a second time characteristic according to the appointed time and a second time when the authentication request is received;
determining a reference password according to a second key and the second time feature;
judging whether the reference password is the same as the random password; if the client-side access rights are the same, the client-side is determined to have the access rights.
6. The method of claim 5, wherein prior to determining the reference password based on the second key and the second temporal characteristic, comprising:
encrypting the preset key, and determining a second key;
determining a reference password from the second key and the second temporal feature, comprising:
performing hash calculation on the second key and the second time feature to generate a second hash value;
and determining a reference password according to the second hash value.
7. The method of claim 6, wherein encrypting the preset key, determining the second key, comprises:
intercepting a second fingerprint character string with fixed digits;
acquiring the address of the client;
and combining the intercepted second fingerprint character string, the address of the client and a preset key to generate a second key.
8. The method of claim 7, comprising, prior to intercepting the second fingerprint string of a fixed number of bits:
acquiring a data message received by a server;
and generating a second fingerprint character string of the received data message according to the MD5 message digest algorithm.
9. The method of claim 5, wherein the second temporal feature is calculated using the formula:
Tn2=(unixtime(now2)-unixtime(T0))/TS)
wherein Tn2 is a second temporal feature;
non 2 is the second time, unixtime (now 2) is the timestamp of the second time;
t0 is the contract time, unixtime (T0) is the time stamp of the contract time;
TS is the time step.
10. The method according to any of claims 6-8, wherein determining a random password from the second hash value comprises:
intercepting the second hash value according to the preset password length;
and determining the intercepted second hash value as the random password.
11. An electronic device for generating a random password, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-4.
12. An electronic device for client authentication, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 5-10.
13. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010161856.2A CN113381853B (en) | 2020-03-10 | 2020-03-10 | Method and device for generating random password and client authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010161856.2A CN113381853B (en) | 2020-03-10 | 2020-03-10 | Method and device for generating random password and client authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113381853A CN113381853A (en) | 2021-09-10 |
| CN113381853B true CN113381853B (en) | 2024-04-16 |
Family
ID=77568681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010161856.2A Active CN113381853B (en) | 2020-03-10 | 2020-03-10 | Method and device for generating random password and client authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113381853B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242521A (en) * | 2022-07-25 | 2022-10-25 | 深圳市潮流网络技术有限公司 | Password authentication method and device and communication method for initiating call by terminal equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168329A (en) * | 2014-08-28 | 2014-11-26 | 尚春明 | User secondary authentication method, device and system in cloud computing and Internet |
| CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
| CN106603234A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Method, device and system for device identity authentication |
| CN106790274A (en) * | 2017-02-20 | 2017-05-31 | 中国科学院信息工程研究所 | A kind of method that disposal password logs in WLAN |
| CN107306181A (en) * | 2016-04-18 | 2017-10-31 | 杭州云沣科技有限公司 | Encryption, verification method and the device of right discriminating system and its authentication information |
| CN107332809A (en) * | 2016-04-29 | 2017-11-07 | 中国电信股份有限公司 | Verification method and checking system and relevant device |
| CN110211268A (en) * | 2019-06-04 | 2019-09-06 | 北京一砂信息技术有限公司 | A kind of client, server, system, method and the storage medium of timeliness random cipher unlock smart lock |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8683564B2 (en) * | 2010-06-27 | 2014-03-25 | King Saud University | One-time password authentication with infinite nested hash claims |
-
2020
- 2020-03-10 CN CN202010161856.2A patent/CN113381853B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168329A (en) * | 2014-08-28 | 2014-11-26 | 尚春明 | User secondary authentication method, device and system in cloud computing and Internet |
| CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
| CN106603234A (en) * | 2015-10-14 | 2017-04-26 | 阿里巴巴集团控股有限公司 | Method, device and system for device identity authentication |
| CN107306181A (en) * | 2016-04-18 | 2017-10-31 | 杭州云沣科技有限公司 | Encryption, verification method and the device of right discriminating system and its authentication information |
| CN107332809A (en) * | 2016-04-29 | 2017-11-07 | 中国电信股份有限公司 | Verification method and checking system and relevant device |
| CN106790274A (en) * | 2017-02-20 | 2017-05-31 | 中国科学院信息工程研究所 | A kind of method that disposal password logs in WLAN |
| CN110211268A (en) * | 2019-06-04 | 2019-09-06 | 北京一砂信息技术有限公司 | A kind of client, server, system, method and the storage medium of timeliness random cipher unlock smart lock |
Non-Patent Citations (2)
| Title |
|---|
| Sergey Babkin ; Anna Epishkina. Authentication Protocols Based on One-Time Passwords.2019 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus).2019,全文. * |
| 基于动态口令的增强身份认证;章思宇;黄保青;白雪松;姜开达;;华东师范大学学报(自然科学版)(S1);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113381853A (en) | 2021-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022206349A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| WO2017028593A1 (en) | Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium | |
| WO2019079356A1 (en) | Authentication token with client key | |
| CN111556025A (en) | Data transmission method, system and computer equipment based on encryption and decryption operations | |
| US9813382B2 (en) | Cryptographic binding of multiple secured connections | |
| CN113347206A (en) | Network access method and device | |
| CN113992346B (en) | Implementation method of security cloud desktop based on national security reinforcement | |
| CN112437044B (en) | Instant messaging method and device | |
| CN112966287B (en) | Method, system, device and computer readable medium for acquiring user data | |
| US11949776B2 (en) | Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint | |
| EP4096147A1 (en) | Secure enclave implementation of proxied cryptographic keys | |
| CN110851210A (en) | Interface program calling method, device, equipment and storage medium | |
| EP4096160A1 (en) | Shared secret implementation of proxied cryptographic keys | |
| US20220377064A1 (en) | Method and system for managing a web security protocol | |
| CN111698264A (en) | Method and apparatus for maintaining user authentication sessions | |
| CN113992702B (en) | Ceph distributed file system storage state password reinforcement method and system | |
| WO2022042198A1 (en) | Identity authentication method and apparatus, computer device, and storage medium | |
| CN112560003A (en) | User authority management method and device | |
| CN113381853B (en) | Method and device for generating random password and client authentication | |
| JP2023532976A (en) | Method and system for verification of user identity | |
| CN111049789A (en) | Domain name access method and device | |
| WO2024060630A1 (en) | Data transmission management method, and data processing method and apparatus | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN114598549B (en) | Customer SSL certificate verification method and device | |
| CN112565156B (en) | Information registration method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |